DivestOS/Patches/Linux_CVEs/CVE-2014-9779/ANY/0001.patch
2017-11-07 17:32:46 -05:00

45 lines
1.6 KiB
Diff

From 0b5f49b360afdebf8ef55df1e48ec141b3629621 Mon Sep 17 00:00:00 2001
From: Fred Oh <fred@codeaurora.org>
Date: Fri, 11 Oct 2013 15:07:45 -0700
Subject: ASoc: msm: qdsp6v2: add vm page offset validation
Lack of range validation can lead wrong mapping or expose arbitrary
memory page to userspace
Change-Id: I8c6eb1b7255d444bffd9d3748ca4815b11bdf16a
Signed-off-by: Fred Oh <fred@codeaurora.org>
---
arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c | 7 +++++++
1 file changed, 7 insertions(+)
(limited to 'arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c')
diff --git a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
index 0a50bcc..2d375ac 100644
--- a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
+++ b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
@@ -269,6 +269,7 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
} else {
ion_phys_addr_t phys_addr;
size_t phys_len;
+ size_t va_len = 0;
pr_debug("%s: page is NULL\n", __func__);
ret = ion_phys(ab->client, ab->handle, &phys_addr, &phys_len);
@@ -282,6 +283,12 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
vma, (unsigned int)vma->vm_start,
(unsigned int)vma->vm_end, vma->vm_pgoff,
(unsigned long int)vma->vm_page_prot);
+ va_len = vma->vm_end - vma->vm_start;
+ if ((offset > phys_len) || (va_len > phys_len-offset)) {
+ pr_err("wrong offset size %ld, lens= %d, va_len=%d\n",
+ offset, phys_len, va_len);
+ return -EINVAL;
+ }
ret = remap_pfn_range(vma, vma->vm_start,
__phys_to_pfn(phys_addr) + vma->vm_pgoff,
vma->vm_end - vma->vm_start,
--
cgit v1.1